CryptoLocker / Crilock Malware

November 5th, 2013

Recently a new variant of the ransomware malware has surfaced called CryptoLocker (or CriLock according to Microsoft). Whereas past malware would have a warning on the screen and lock you out of normal use (eg saying the AFP had your details), this new variant actually encrypts your Office/PDF/Image files with a 2048 Bit key. As of now the ONLY way to get your files un-encrypted is to pay their money within the 90 HR time limit (which is about $400US at the moment) to get the decrypt key. And people are doing it – as they have no choice if they dont have a backup (note the malware writers are actually providing the decrypt keys for people so they are running a real operation – last count I read was > $7M collected so far by them).
The malware will normally arrive via email. It comes as an attachement (usually in a zip file) that the customer then clicks on and that activates the malware  on their PC. And the activity may not be immediate – since the malware will take time to locate an active Command & Control server on the internet to log the key.
This document gives a very good tech rundown of the malware – http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information.
So what do to ?
1. Make sure your AV is up to date – so it will block the infection when it arrives. Most AV should be automatically updating everyday. We use Kaspersky which picks up all these Malware in the tests we’ve done.
2. Make sure you have a good backup of the files that matter to you. All businesses should have this anyway – but home users need to be especially aware (imagine loosing ALL your kids photos from the last 10 years…)
3. Always look at the email you get and make sure it looks legit from someone you would expect to get a file sent to you ! An example is they come from Westpac – and people who dont even have a Westpac account click on the attachment…

James

MS Update causes Kaspersky to fail and scandisk to run

May 2nd, 2013

There is a recent update from Microsoft which can cause issues with Kaspersky Virus protection. The system will show ‘no valid license’ in Kaspersky and it will do a scandisk on each boot (and find no errors).
This is due to the recent MS update (KB2823324) which makes changed to the ntfs driver file. The solution is to remove the update from your computer (and Microsoft have removed it from their download list) and reboot – which will allow the system to return to normal function. Windows 7 is affected, as is Server 2008. To remove a windows update use Programs and Features in the Control Panel, and choose View installed updates from the left. They are listed in date order – and this update was release 8/4/13.

Details from Kaspersky on the issue  is HERE, and the Microsoft post on the update can be found HERE

Unable to access network shares until you click on them – EnableLinkedConnections

March 11th, 2013

Came across this issue recently – when you boot a Windows 7 PC the network shares do not work until you click on them, and then they are all fine. Some programs cant get into the folders to access the data until you activate them – which is annoying to say the least (why isnt it automatic ?).

So the fix ? Registry edit time -
In regedit navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Add a NEW DWORD called EnableLinkedConnections, and set its value to 1.

Reboot and you should find your network drives no longer are inactive on boot.

hiberfil.sys, pagefile.sys and an SSD based Intel i5 PC

February 20th, 2013

So I decided to do some build work on a new PC – one that would run on SSD with a fast CPU and lots of RAM. The build used a Samsung 840 120GB SSD Drive (running SATA3), Intel i5 3330 Quad Core CPU, 16GB DD3 Corsair ram (2x8GB in Dual Channel) and Windows 7 PRO.
Yes – it is fast ! Boots to the Windows desktop in mere seconds – and everything just responds super fast. Installing programs is also very very quick.
The issue – with a plain load of windows installed i only had 55GB free space on the drive. Huh ? After formatting and installing that should be about 80GB free. So I did some hunting around and after turning ON show Protected System Files (Control Panel->Folder Options->View->Untick Hide Protected operating system files) i could see what took up the space. My pagefile.sys file (virtual memory – which is normally the same size as the RAM) and my hiberfil.sys file (used to snapshop the system when you hibernate) – which are both stored in the root directory of the system drive (C: in most cases).
Now I have no interest in hibernating this desktop, and since there is 16GB of RAM i doubt i will need any virtual memory (which is used when the system runs out of physical RAM). So the 2 steps required are -
1. Turn OFF pagefile for the C drive (Control Panel->System->Advanced->Performance Settings->Advanced->Change. Then Untick the automatically manage pagefile option and SET the C drive to No paging file)
2. Turn OFF hibernate and remove the file – this is not as simple as changing the power options in control panel, since that turns OFF hibernate BUT leaves the file on the drive. So go to an Administrative Command Prompt (Right click on command promt->Run As Administrator) and type the following command:
powercfg -h off
Job done! Close to 80GB free now – and the system runs fully from RAM so its a pleasure to operate…

James Joyce

Windows 8 Media Centre Upgrade FREE

November 28th, 2012

For those who have use Windows Media Centre (from XP and Windows 7 versions) you may get a bit disappointed with Windows 8 – it is NOT part of either Home or PRO versions by default. If you have Win8 Home you need to upgrade to the PRO pack, and if you have PRO you need to upgrade to the Media Centre pack.

Till Jan 31st 2013 if you have Windows 8 PRO you can get the Media Centre upgrade FREE ! Follow the link here and supply your email and the key will be emailed to you from Microsoft
http://windows.microsoft.com/en-US/windows-8/feature-packs

Exchange 2010 Message Throttling

October 29th, 2012

Ive been spending some time working on Message Filtering for Exchange 2010. We have some clients setup who have an external spam filter that handles all the email – so the exchange server only sees traffix from 1 SMTP source. Which is fine unless the Exhcnage system gets overloaded with mail and starts to throttle messages based on SourceIP – of which there is only 1  being the mail filter ! So have a look at the various options you can play with using Exchange Console and the following command -
Get-ReceiveConnector | Set-ReceiveConnector (-MaxInboundConnection -MaxInboundConnectionPercentagePersource -MessageRateSource)
Get-ThrottlingPolicy | Set-ThrottlingPolicy
and consider turning OFF the Exchange Anti Spam features – since its being handled elsewhere. Look at increasing limits (or setting to unlimited or $NULL depending on the chooices for the option).
James Joyce MCITP

Microsoft Windows 8 in stock NOW

October 23rd, 2012

Windows 8 is finally here – the next version of the Windows operating system. Sporting a new metro (tile) interface and running on the same system requirements as Windows 7 its a must have for all PC users. Check it out in store or at:

http://windows.microsoft.com/en-GB/windows-8/release-preview

Kaspersky Registration Page

October 23rd, 2012

Kaspersky in Australia have recently undegone some changes – so for anyone with retail packs or OEM needing to register their software for the first time the new website is -

http://registerkaspersky.com.au

Exchange email Whitelist via console – BypassedSenders

September 3rd, 2012

Exchange does support whitelisting of email address’/domains, but not form the GUI. It must be done via the Exchange powershell CLI.
The only issue is that the commands to set the whitelist is to write the whole whitelist – so if you set just one email it will not keep the config of the previous emails you have setup already.
This script addresses that by reading in the existing and then writing that list back with the extra address you need to ad -

$whitelist = (Get-ContentFilterConfig).BypassedSenders
$whitelist.add(“new.mail@domain.com”)
Set-ContentFilterConfig -BypassedSenders $whitelist

To see the current config (which includes the whitelist) simply use ‘Get-ContentFilterConfig’ by itself

Exchange 2010 Sender Filter

August 31st, 2012

A customer was not able to receive email from 1 client – he would always get a error back saying:
5.1.0 Sender denied
We spent time going through the Exchange Sender AS options (which were changed from Deny to Stamp and allow) and also through the AS software that was running on the server (configuring whitelists for the incoming email) and yet it would still get bounced. They showed up in the Exchange log as arriving so there was no question they were getting to the system.
Turns out Exchange 2010 (and possibly 2007) also pulls block lists for senders from the end users OUTLOOK. So we logged into the users OWA and went to the block list and what do you know – the customer had blocked the sender ! By mistake of course… Removed their email and all fixed.

James Joyce MCITP